[strongSwan] (Vici) How to disconnect a VPN connection on the server side?

Tobias Brunner tobias at strongswan.org
Mon Sep 9 14:38:01 CEST 2019

Hi Houman,

> Is there is a way to disconnect a specific strongswan user from the
> command line?

Not directly (at least not via vici, it might be possible via RADIUS,
depending on the RADIUS server).

> I have found the Vici plugin, but there is no documentation whatsoever.

What do you mean?  [1] provides an overview and has a link to the
README.md file that describes the available commands and even contains
simple code examples.  The Python bindings are basically a wrapper that
provides a convenient interface for these commands.

> import vici
> s = vici.Session()
>>>> s.list_conns()
> <generator object Session.streamed_request at 0x7ff658411ed0>

That returns the configured connections, so that's not really useful to
you.  More interesting will be the list of established IKE_SAs (s.list_sas).

> Looking at the code there is a "filters" as an argument to pass in:

That argument can be used to pass information to the command (check the
README for what the options are).  For example, with list-sas you can
filter based on the name or unique ID of an SA and/or pass a flag that
determines if the command operates in non-blocking mode (blocked SAs are
skipped).  There is no option to filter by remote/user ID, so you have
to enumerate the established SAs (list-sa documents the returned
information) and check remote-(eap-)id yourself.

> But I'm stuck as I don't know how to set that. There must be some kind
> of documentation for this right? 

As I said, the README file documents the commands and arguments.

> I suppose once I have the actual SA, I could pass it to terminate(). 

Get the unique ID of the SA and then terminate it using that.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/Vici

More information about the Users mailing list